Severity Framework
Snyk CCSS
Rule category
Network / Firewall
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
- Snyk ID SNYK-CC-00757
- credit Snyk Research Team
Description
Enabling AWS WAF on API Gateways mitigates the risk of common web exploits that could affect application availability, compromise security, or consume excessive resources. Without WAF, API Gateways are more vulnerable to attacks such as SQL injection and cross-site scripting (XSS).
How to fix?
Set the resource_arn
of aws_wafv2_web_acl_association
to aws_api_gateway_stage.arn
and web_acl_arn
to aws_wafv2_web_acl.arn
.
Example Configuration
resource "aws_api_gateway_stage" "valid_example" {
deployment_id = aws_api_gateway_deployment.valid_example.id
rest_api_id = aws_api_gateway_rest_api.valid_example.id
stage_name = "valid_example"
}
resource "aws_wafv2_web_acl" "valid_example" {
name = "web-acl-association-valid_example"
scope = "REGIONAL"
default_action {
allow {}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
}
resource "aws_wafv2_web_acl_association" "valid_example" {
resource_arn = aws_api_gateway_stage.valid_example.arn
web_acl_arn = aws_wafv2_web_acl.valid_example.arn
}